Who is F5?

Is SSL Smuggling Malware into your Business?

Gary Newe

Published October 21, 2015

We all know about SSL, that vital bit of cryptographical kit that protects our online communications. It protects communications between the web browsers we use and the servers where websites such as this one are hosted. You’ll recognise a secure website by the padlock symbol, or the use of HTTPS in the address.

And generally speaking, SSL is a good thing. Any transaction that involves financial information, such as banking or online shopping, uses SSL to keep your information private. But recently there has been a drive to secure all internet traffic with SSL, not just traffic that contains username/password combinations or financial data. Headline-grabbing news stories such as the Edward Snowden global mass surveillance revelations mean more users are demanding encryption online, and providers are happy to oblige.

That’s why its use is increasing; most of the world’s most popular websites such as Google, Amazon and Facebook now have HTTPS - which provides SSL encryption - switched on by default on all traffic. It is estimated that by the end of 2015 over half the world’s internet traffic will be encrypted. (Primarily that’s due to Netflix, which accounts for a huge percentage of internet traffic and is switching to HTTPS.)

But while there’s no doubt encrypting internet traffic will protect more of our sensitive data, it does actually bring increased risks for enterprises. That’s because many enterprise security devices are blind to what’s in the encrypted traffic, meaning malware can sneak by undetected.

Firewalls, web gateways, intrusion prevention systems and more can struggle to detect malware that arrives via encrypted traffic. It could prove to be a nightmare for enterprises if cyber criminals can hide malware within a supposedly secure transaction. And this works both ways; not only can malware arrive without being detected, it can also send sensitive information back to its controller in an encrypted transaction that most security tools wouldn’t pick up.

One example of this is the Dyre banking malware. According to reports, this malware was capable of stealing information before encryption kicks in, and sending it back to the command and control server under the guise of legitimate encrypted traffic. Crucially, the session appears secure as the padlock symbol is displayed, but behind the scenes sensitive data is being hoovered up.

In fact, any dodgy website can serve up drive-by malware and if the session is encrypted security tools cannot determine what the actual content of that traffic is, or where it’s going. Devices such as the proxy server or the URL filtering gateway are completely blind to it.

It’s a very real problem that enterprises are facing. Figures from Gartner indicate that less than 20% of organisations using firewalls, IPS or UTM decrypt SSL traffic, meaning malware hidden within SSL traffic would bypass those security platforms. Gartner also claims that by 2017, over 50% of network attacks that target enterprises will use SSL to bypass security.

How do enterprises ensure they are not caught out by malware hiding within encrypted traffic? The simple answer would be to decrypt that traffic, but the question is how to do that without invading privacy or leaving sensitive data open to attacks.

So it becomes a question of knowing which traffic should be decrypted. If a business is serving content out to users externally, it needs to use some sort of device to offload SSL traffic from the server and then insert protection into the traffic flow. This will break the SSL, but in an intelligent way; you don’t want to decrypt a banking session but you do for a Facebook session.

Security needs to have the intelligence to understand where the traffic is going and then make a decision on whether it should be decrypted or left as it is. It’s breaking SSL, but in a safe and intelligent way.